Documentation

Socket for GitHub Actions

Suggest Edits

Socket fights vulnerabilities and provides visibility, defense-in-depth, and proactive supply chain protection for your open source dependencies. It is easy to integrate Socket into your Github Actions to provide an extra layer of security against Supply Chain Attacks.

Adding Socket to your Github Actions Workflow


Create your Socket API Key

You can either create your API Key yourself if you have permissions in your socket.dev account or you can have your Admin create it for you with the Reports scope.

  1. Log into the socket.dev dashboard

  2. Go to Settings

  3. Go to the API Tokens tab

  4. Select Create API Token

  5. Give the token a name like Gitlab API Token

  6. Select the following scopes

    1. report

      1. report:list
      2. report:read

    2. repo

      1. repo:list
      2. repo:create
      3. repo:update

    3. full-scans

      1. full-scans:list
      2. full-scans:create

  7. Click Confirm

  8. Click on Show key

  9. Click on the API Token to copy

Create your Socket Environment variables

  1. Log into your Github Org
  2. Set up your Action Secret at either the Repo or Org level
    1. For the repo level
      1. Go to Settings
      2. Secrets and variables
      3. Actions
      4. New repository secret

Setup the Github Actions Workflow

The Action Workflow currently uses the auto generated Github Actions token based on the permissions that are requested in the Workflow. The sample Workflow Yaml can be customized to your needs. It currently runs on every push and issue_comment type event.

  1. Go to your repo
  2. Create a new file with the name .github/workflows/socket.yml
  3. Add in the Socket Actions Yaml from below. 
name: socket-security-workflow
run-name: Socket Security Github Action
on: [push, issue_comment, pull_request]
jobs:
  socket-security:
    permissions:
      issues: write
      contents: read
      pull-requests: write
    runs-on: ubuntu-latest
    if: ${{ (github.event_name == 'push' && format('refs/heads/{0}', github.event.repository.default_branch) == github.ref) || github.event_name == 'pull_request' || github.event_name == 'issue_comment'}}
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: ${{ github.event_name == 'pull_request' && 2 || 0 }}
      - name: Get changed files
        id: changed-files
        run: |
            if ${{ github.event_name == 'pull_request' }}; then
                echo "changed_files=$(git diff --name-only -r HEAD^1 HEAD | xargs)" >> $GITHUB_OUTPUT
            else
                echo "changed_files=$(git diff --name-only ${{ github.event.before }} ${{ github.event.after }} | xargs)" >> $GITHUB_OUTPUT
            fi
      - uses: actions/setup-python@v5
        with:
          python-version: '3.12'
      - name: Get PR State
        if: github.event_name == 'pull_request'
        run: echo "EVENT_ACTION=${{ github.event.action }}" >> $GITHUB_ENV
      - name: Install Socket CLI
        run: pip install socketsecurity --upgrade
      - name: Check if Default Branch
        if: ${{ always() && format('refs/heads/{0}', github.event.repository.default_branch) == github.ref }}
        run: echo "DEFAULT_BRANCH=1" >> $GITHUB_ENV
      - uses: actions/github-script@v7
        id: get_pr_data
        with:
          script: |
              let data = (
                await github.rest.repos.listPullRequestsAssociatedWithCommit({
                  commit_sha: context.sha,
                  owner: context.repo.owner,
                  repo: context.repo.repo,
                })
              ).data[0];
              if (data === undefined) {
                data = {
                  'number': null,
                  'title': null
                }
              }
              
              return data;
      - name: Save Pull Request Number
        run: |
          echo "PR_NUMBER=${{ fromJson(steps.get_pr_data.outputs.result).number || github.event.issue.number || github.event.number }}"  >> $GITHUB_ENV
      - name: Run scan
        env:
          SOCKET_SECURITY_API_KEY: ${{ secrets.SOCKET_SECURITY_API_KEY }}
          GH_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
        run: |
          CHANGED_FILES=$(echo "${{ steps.changed-files.outputs.changed_files }}" | tr " " "\n")
          FILES=""
          while IFS= read -r line; do
            FILES="$FILES\"$line\","
          done <<< "$CHANGED_FILES"
          FILES=$(echo $FILES | sed 's/,*$//')
          socketcli --files "[$FILES]" --scm github --repo ${{ github.event.repository.name }} --branch "${{ github.ref_name }}" $(if [ ! -z $DEFAULT_BRANCH ]; then echo "--default_branch"; fi) --pr_number $(if [ -z $PR_NUMBER ]; then echo 0; else echo $PR_NUMBER;fi) --committer "$GITHUB_ACTOR" --commit_message "$COMMIT_MESSAGE" --target_path $GITHUB_WORKSPACE

Updated about 1 month ago